# syntax=docker/dockerfile:1.7
#
# Source-built SF server image for Forgejo self-deploy.
#
# Purpose: package the exact repository revision Forgejo verified, including
# the staged Next.js standalone host and release manifest, instead of installing
# a mutable npm tag at runtime.
#
# Consumer: .forgejo/workflows/self-deploy.yml and GitOps deployments that run
# `sf server /workspace --host 0.0.0.0 --port 4000`.

FROM node:26.1-slim AS build

WORKDIR /src
ENV CI=1

RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    git \
    libsecret-1-dev \
    make \
    g++ \
    python3 \
    pkg-config \
    && rm -rf /var/lib/apt/lists/*

COPY package.json package-lock.json ./
COPY packages ./packages
COPY scripts ./scripts
COPY web/package.json web/package-lock.json ./web/
RUN --mount=type=cache,id=sf-server-root-npm,target=/root/.npm,sharing=locked \
    npm ci && npm --prefix web ci

COPY . .
ARG SF_GIT_SHA
ARG SF_GIT_REF
ARG SF_RELEASE_IMAGE
ARG SF_RELEASE_IMAGE_DIGEST
ARG SF_IMAGE_REPOSITORY
ENV SF_GIT_SHA=${SF_GIT_SHA}
ENV SF_GIT_REF=${SF_GIT_REF}
ENV SF_RELEASE_IMAGE=${SF_RELEASE_IMAGE}
ENV SF_RELEASE_IMAGE_DIGEST=${SF_RELEASE_IMAGE_DIGEST}
ENV SF_IMAGE_REPOSITORY=${SF_IMAGE_REPOSITORY}
RUN --mount=type=cache,id=sf-server-root-tsbuild,target=/src/dist/.tsbuildinfo,sharing=locked \
    npm run build:core
RUN --mount=type=cache,id=sf-server-next-cache,target=/src/web/.next/cache,sharing=locked \
    npm run build:web-host
RUN npm run release:manifest -- --out dist/sf-release-manifest.json
RUN npm prune --omit=dev --ignore-scripts --legacy-peer-deps
RUN rm -rf \
    rust-engine/target \
    web/.next/cache \
    web/node_modules \
    node_modules/.cache \
    packages/*/tsconfig.tsbuildinfo

FROM node:26.1-slim AS sf-server

WORKDIR /opt/sf
ENV NODE_ENV=production
ENV SF_RELEASE_MANIFEST=/opt/sf/dist/sf-release-manifest.json
ENV SF_WEB_PACKAGE_ROOT=/opt/sf
ENV SF_WEB_PREFER_SOURCE=0
ENV SF_WEB_HOST=0.0.0.0
ENV SF_WEB_PORT=4000
ENV HOSTNAME=0.0.0.0
ENV PORT=4000

RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    git \
    libsecret-1-0 \
    procps \
    tini \
    && rm -rf /var/lib/apt/lists/*

COPY --from=build /src/package.json /src/package-lock.json /src/README.md /opt/sf/
COPY --from=build /src/node_modules /opt/sf/node_modules
COPY --from=build /src/packages /opt/sf/packages
COPY --from=build /src/dist /opt/sf/dist
COPY --from=build /src/pkg /opt/sf/pkg
COPY --from=build /src/src/resources /opt/sf/src/resources
COPY --from=build /src/scripts/postinstall.js /src/scripts/link-workspace-packages.cjs /src/scripts/ensure-workspace-builds.cjs /opt/sf/scripts/
COPY --from=build /src/rust-engine/addon /opt/sf/rust-engine/addon
COPY --from=build /src/rust-engine/npm /opt/sf/rust-engine/npm
COPY --from=build /src/web/.next/standalone /opt/sf/web/.next/standalone

WORKDIR /workspace
EXPOSE 4000
ENTRYPOINT ["tini", "--"]
CMD ["node", "/opt/sf/dist/web/standalone/server.js"]